Health and Cybercrime

The importance of confidentiality in the practice of medical profession was recognised as a priority since the Hippocratic Oath. Internet caused a revolution not only in everyday life of citizens but also in the handling of health information by medical professionals. Exchange of health data can guarantee a better answer to the population health needs but also poses new risks. The European Union Agency for Network and Information Security (ENISA) published its first analysis of the cyber threat landscape of the health sector in the EU in July 2023. Hospitals faced many different cyberattacks in the last years, sometimes with important economic consequences. This article reports the main classes of possible attacks, such as phishing, ransomware, data loss or data theft, attacks to connected medical devices, and Distributed-Denial-of-Service (DDoS), and the specific targets attractive for cybercriminals in the health information technologies (HIT), such as the electronic health records (EHR), the personal health records (PHR), the booking system for clinical appointments and the administrative systems. From a medico-legal perspective, it is paramount to frame in a correct manner the issue regarding current cybercrimes targeting healthcare structures. The issue is well known for Patient Safety operators as a serious threat: a delay on data availability or the impossibility to obtain certain information in critical occasion could led to serious (if not fatal) consequences for the patient. After examining the laws involved in protecting patients and their data from cyberattwacks, we conclude that addressing these threats cannot be solely based on legal means, but also IT and risk management strategies, together with the compliance with standards such as ISO 31000 are needed for a fruitful approach with a specific focus on digital expertise of healthcare professionals as well as administrative staff involved in healthcare.